A. refactor legislagion codeB. put pg escape in it's own file

README.md

@@ -61,6 +61,7 @@ examples:
     /legislation-by-knesset/20?SubTypeDesc=ממשלתית
     /legislation?Name=ציבורי&page=2
     /legislation-by-knesset/19?SubTypeDesc=פרטית&PrivateNumberStart=50&PrivateNumberEnd=60
+    /legislation-by-knesset/20?PrivateNumber=1000
 
 ### Data Cache
 

api/legislation/legislation.data.adapter.js

@@ -19,29 +19,29 @@ ORDER BY   "GroupTypeID"
 module.exports = {
   // get committees summary for all knessets
   // https://app.redash.io/hasadna/queries/165441/source#284091
-  all: (route, callback, _, page = 0, where = "true") => {
+  all: (route, callback, params, options) => {
     const query = legislationSelectQuery + `
       FROM bills_kns_bill s
-      WHERE ${where}
+      WHERE ${options.where}
       ORDER BY "BillID" desc
       LIMIT 20
-      OFFSET ` + (page*20) +`;
+      OFFSET (${options.page}*20);
       `;
     getDataAndCallback(query, route, callback)
   },
   // get committees for specific knesset
   // https://app.redash.io/hasadna/queries/165441/source#284091
-  byKnessetNum: (route, callback, knessetNum, page = '0', where = "true") => {
+  byKnessetNum: (route, callback, params, options) => {
     const query = legislationSelectQuery + `
     FROM bills_kns_bill s
-    where "KnessetNum" = ${knessetNum} AND ${where}
+    where "KnessetNum" = ${params.knessetNum} AND ${options.where}
     ORDER BY "BillID" DESC
     LIMIT 20
-    OFFSET ` + (page*20) +`;
+    OFFSET (${options.page}*20);
     `;
     getDataAndCallback(query, route, callback)
   },
-  countByKnessetNum: (route, callback, _1, _2) => {
+  countByKnessetNum: (route, callback, params, options) => {
     const query = `
     SELECT "KnessetNum", n."Name", count(*) as num_bills
     FROM bills_kns_bill b

api/legislation/legislation.route.js

@@ -1,16 +1,23 @@
 const router = require('express').Router();
 const collection = require('./legislation.data.adapter');
 const debug = require('debug')('legislation route');
-const whereParser = require('../../services/data.service').requestToWhereClause;
+const whereParser = require('../../services/pg.escape.service').requestToWhereClause;
 
 const requestCollection = (req, res, fn) => {
-  const knessetNum = Number(req.params['knessetNum']);
-  const page = Number(req.query['page'] || 1) - 1;
-  const where = whereParser(req.query, ["PrivateNumber", "SubTypeID", "BillID", "StatusID"], ["Name", "SubTypeDesc"]) || "true";
+  const params = {
+    knessetNum: Number(req.params['knessetNum'])
+  };
+  const options = {
+    page: Number(req.query['page'] || 1) - 1,
+    where: whereParser(req.query, ["PrivateNumber", "SubTypeID", "BillID", "StatusID"], ["Name", "SubTypeDesc"]) || "true"
+  };
+//   const knessetNum = Number(req.params['knessetNum']);
+//   const page = Number(req.query['page'] || 1) - 1;
+//   const where = whereParser(req.query, ["PrivateNumber", "SubTypeID", "BillID", "StatusID"], ["Name", "SubTypeDesc"]) || "true";
   // on dev - log
   debug(`:${req.route.path}`);
   // call collection function with route and callback
-  fn(req.route.path, (d) => res.json(d), knessetNum, page, where);
+  fn(req.route.path, (d) => res.json(d), params, options);
 };
 
 // statistics of all legislation per knesset

package.json

@@ -15,7 +15,8 @@
     "express": "^4.16.4",
     "glob": "^7.1.3",
     "nano-cache": "^1.1.2",
-    "pg": "^7.8.0"
+    "pg": "^7.8.0",
+    "pg-escape": "^0.2.0"
   },
   "devDependencies": {
     "nodemon": "^1.18.10"

services/data.service.js

@@ -42,30 +42,6 @@ const cache = new NanoCache({
   bytes: 100 * NanoCache.SIZE.MB, // max memory use for data
 });
 
-module.exports.requestToWhereClause = function(query, allowedNumFields, allowedStrFields) {
-  var demands = [];
-  for(let field in allowedNumFields) {
-    field = allowedNumFields[field];
-    if(typeof query[field] !== 'undefined') {
-      demands.push('"' + field + "\"=" + Number(query[field]));
-    }
-    if(typeof query[field + "Start"] !== 'undefined') {
-      demands.push('"' + field + "\">=" + Number(query[field + "Start"]));
-    }
-    if(typeof query[field + "End"] !== 'undefined') {
-      demands.push('"' + field + "\"<=" + Number(query[field + "End"]));
-    }
-  }
-  for(let field in allowedStrFields) {
-    field = allowedStrFields[field];
-    if(typeof query[field] !== 'undefined' &&
-        query[field].search(/[\'\"\;\`\%*\\/:$]/) < 0) { // disable special characters in query; avoid SQL injection
-      demands.push('"' + field + "\" LIKE \'%" + query[field] + "%'");
-    }
-  }
-  return demands.join(" AND ");
-}
-
 async function getData(query, path) {
   cache.clearExpired();	// deletes all expired key with their values to free up memory
 

services/pg.escape.service.js

@@ -0,0 +1,26 @@
+// set logger namespace: debugBase:currentFile
+const debug = require('./log.service').debugBuilder(module.filename);
+const escape = require("pg-escape");
+
+module.exports.requestToWhereClause = function(query, allowedNumFields, allowedStrFields) {
+  var demands = [];
+  for(let field in allowedNumFields) {
+    field = allowedNumFields[field];
+    if(typeof query[field] !== 'undefined') {
+      demands.push('"' + field + "\"=" + Number(query[field]));
+    }
+    if(typeof query[field + "Start"] !== 'undefined') {
+      demands.push('"' + field + "\">=" + Number(query[field + "Start"]));
+    }
+    if(typeof query[field + "End"] !== 'undefined') {
+      demands.push('"' + field + "\"<=" + Number(query[field + "End"]));
+    }
+  }
+  for(let field in allowedStrFields) {
+    field = allowedStrFields[field];
+    if(typeof query[field] !== 'undefined') {
+      demands.push('"' + field + "\" LIKE " + escape("'%%%s%%'", query[field]));
+    }
+  }
+  return demands.join(" AND ");
+};